Microcontroller and power management integrated circuit application clustering for safe state management

ABSTRACT

Systems, methods, and circuitries are provided for controlling a microcontroller (MCU) on a per-application basis. A control system includes a microcontroller unit (MCU) including a first application group and a second application group. The first application group includes at least one hardware component not associated with the second application group. The control system includes a power management integrated circuit (PMIC). The PMIC includes monitoring circuitry configured to monitor the first application group to detect a first application group fault condition and monitor the second application group to detect a second application group fault condition. Based on the monitoring, the PMIC provides a first reset signal to the first application group that does not reset the second application group or provides a second reset signal to the second application group that does not reset the first application group.

FIELD

The present disclosure relates to the field of integrated controlsystems that provide safe state operation in response to detection offaults and in particular to methods, systems, and in particular tosystems that include a microcontroller and power management integratedcircuit (IC).

BACKGROUND

Many control systems for automotive components include a safetyinterface between a microcontroller (MCU) that controls the automotivecomponents and a power management IC (PMIC) that controls variouspower-related components (e.g., power supplies and voltage controllers)on the MCU. In response to certain hardware faults on the MCU the PMICmay respond by resetting a power-related component on the MCU.

BRIEF DESCRIPTION OF THE DRAWINGS

Some examples of circuits, apparatuses and/or methods will be describedin the following by way of example only. In this context, reference willbe made to the accompanying Figures.

FIG. 1 is a block diagram of an exemplary control system that supportssafety management on a per-application group basis, in accordance withvarious aspects described.

FIG. 2 is a block diagram of an exemplary control system that supportssafety management on a per-application group basis, in accordance withvarious aspects described.

FIG. 3 is a flow diagram outlining an example method for safetymanagement on a per-application group basis in accordance with variousaspects described.

DETAILED DESCRIPTION

Some safety interfaces between an MCU and PMIC allow for immediate andcomplete safety system activation upon detection of certain faults inthe MCU. The interface may include functions for power management,failure monitors, and circuitry for activation of secondary safetyelements. However, there is a trade-off between system availability andthe scope of safety activation. For example, a fault in a power steeringsystem may cause unrelated systems (engine/transmission electroniccontrol unit (ECU)) to also be transitioned to a safe state operatingmode.

Described herein are control systems that support safety management on aper-application group basis. This increased granularity in faultdetection/safety management may improve system availability. FIG. 1illustrates an exemplary control system 100 that includes PMIC 110,interface 160, and MCU 170. The MCU 170 includes application circuitry180 that includes hardware supporting execution of various applicationsthat control different systems (e.g., various automotive systems in oneexample, however systems in other environments are contemplated). Thehardware of the application circuitry 180 is divided into n applicationgroups or domains, with each group being associated with execution ofone or more applications. Each application group includes at least onededicated hardware component that is capable of being reset or placed ina safe operating mode independent of (e.g., without affecting) hardwarein other application groups. To support the grouping of applications,the MCU 170 may include additional or redundant hardware components ineach application group.

The applications may be grouped in many ways. For example, applicationgroup 0 186 may include applications that perform redundant systemfunctions (e.g., related to fail safe operation electric powersteering). Application group n 188 may include applications associatedwith different systems that are related in some other way (e.g.,powertrain and transmission which are controlled by a single ECU). Aswill be described with reference to FIG. 2 in some examples, thegrouping of applications/hardware may be performed in a flexible mannerthat allows a safety system designer to designate which applications(and associated hardware) belong to which application groups.

Many system faults are correctable by the internal MCU functions,however the PMIC 110 is tasked with recovery and safety control inresponse to certain faults. To this end, the PMIC 110 includes programmonitoring circuitry 120 and hardware monitoring circuitry 130. Programmonitoring circuitry 120 monitors a “common” program status for softwarethat is associated with the application circuitry 180 in general and/orcontrols functions of more than one application group. Such commonsoftware includes, for example, monitoring and fault detection functionsfor the overall MCU 170 performed by software executed by processors inthe PMIC 110. The program monitoring circuitry 120 also separatelymonitors program status for each application group 186, 188. The programmonitoring circuitry 120 is capable of providing reset signals tovarious power-related components on the MCU 170, such as power supplies.For example, the program monitoring circuitry 120 may be capable ofproviding a common “warm reset” signal to application circuitry 180 inwhich certain components common to multiple application groups arerestarted (without interrupting power) and/or all application groups arerestarted. The program monitoring circuitry 120 may also provideindividual warm reset signals to individual application groups 186, 188.

The hardware monitoring circuitry 130 monitors a “common” hardwarestatus for MCU hardware components that are associated with theapplication circuitry 180 in general and/or perform functions of morethan one application group. Such hardware includes, for example,physical power supply rails provided to the MCU 170 including an I/Opower supply rail, a reference power supply rail, an Ethernet powersupply rail, a core power supply rail, and so on. The hardwaremonitoring circuitry 130 also separately monitors hardware status foreach application group 186, 188. The hardware monitoring circuitry 130is capable of providing reset signals to various power-relatedcomponents on the MCU 170, such as power supplies. For example, thehardware monitoring circuitry 130 may be capable of providing warm resetsignals to individual application groups 186, 188. Further, the hardwaremonitoring circuitry 130 monitors for severe hardware faults from theapplication circuitry 180 and is capable of providing a “cold reset”signal to the MCU 170 that causes the main MCU power supply to cycle OFFthen back ON in response to a severe hardware fault.

The PMIC includes group control circuitry 140 that is triggered by theprogram monitoring circuitry 120 or the hardware monitoring circuitry130 to generate safe state control signals that control systemcomponents in a failsafe mode. In one example, the safe state controlsignals are logic signals intended to disable application actuators sothat the application is disconnected (powered off or simply isolatedfrom the overall system properly controlling the actuators) so that theMCU 170 is not erroneously driven by application actuators in thepresence of a fault condition. The safe state control signals may beprovided to the application circuitry 180, individual applicationgroup(s) 186, 188, or directly to system components instead of or inaddition to control signals provided to the system components by theapplication circuitry 180 or application groups 186, 188.

Referring now to FIG. 2, a more detailed block diagram of an exemplarycontrol system 200 is illustrated. The control system 200 includes PMIC210, interface 260, and MCU 270. The interface 260 includes severalinterfaces configured to couple the PMIC 210 to the MCU 270. Theindividual interfaces will be described in the context of their functionbelow. The MCU 270 includes application circuitry 280 having a commonreset input that is coupled to a common warm reset input of the PMIC 210by way of common warm reset interface 262. The common reset function,when triggered by the common reset input, resets multiple applications.For example, if a power supply rail that supplies power to hardwarecomponents in multiple application groups fails, the common resetfunction can be triggered to reset multiple application groups. Hardwarecomponents of the application circuitry 280 are grouped into applicationgroups 286, 288 as described above. In the illustrated example, eachapplication group includes a dedicated processor core, clock system, andpower supply that function independently of applications not in theapplication group.

The MCU 270 includes hardware fault management circuitry 290 thataccumulates hardware alarm signals from the hardware components in theapplication circuitry 280. The hardware fault management circuitry 290maps the hardware alarm signals to one of the application groups or to acommon designation that indicates the hardware performs functions ofmore than one application group. Hardware alarm signals may be flags orinterrupts or other alarm signals. In one example, the mapping operationperformed by hardware fault management circuitry 290 may be controlledor modified so that the grouping of hardware into the variousapplication groups may be changed (e.g., by a safety system designer).Based on the mapping between a received hardware alarm signal and anapplication group (or common group designation), the hardware faultmanagement circuitry 290 provides hardware status signals to the PMICvia severe fault hardware interface 267, group 0 hardware interface 268,or group n hardware interface 269.

A bus interface 265 provides the application circuitry 280 andindividual application groups 286, 288 access to PMIC storage media 215and state machine circuitry 250. The storage media 215 includesresources (e.g., registers) that are individually mapped to anapplication group 286, 288 or to the application circuitry 180. Theapplication circuitry 280 or application groups 286, 288 can control thecontent of their mapped storage media to communicate information relatedto program status (e.g., via Window or Q/A watchdogs). In one example,the bus interface 265 is a serial peripheral interface (SPI) orinter-integrated circuit (I2C) interface. While only one HW interface isshown for each application group, in some examples, multiple HWinterfaces may be used for some or all application groups.

The PMIC 210 includes hardware monitoring circuitry 230 that includesmonitoring modules for severe fault monitoring 231 and individualapplication group hardware monitoring (e.g., group 0 hardware monitoring232, and group n hardware monitoring 238). A module may be implementedusing hardware components and/or a processor executing storedinstructions for monitoring signals being received on interfaces 267,268, 269 and generating appropriate reset signals in response. When thesevere fault monitoring module 231 detects a severe hardware fault, itgenerates a common cold reset signal that is provided to common coldreset interface 231. This signal is provided to a cold reset input ofthe MCU 270 and resets the MCU 270 (e.g., by cycling a main power supplyof the MCU OFF and then ON).

Optionally, the severe fault monitoring module may generate a warm resetsignal provided to the application circuitry 280 when a less severehardware fault is detected or when hardware faults are detected inseveral different application groups. When the group hardware monitoringmodule 232 detects a hardware fault via interface 268, the module 232generates a reset signal that is provided to application group 0 viagroup 0 reset interface 263. When the group hardware monitoring module238 detects a hardware fault via interface 269, the module 238 generatesa reset signal that is provided to application group n via group n resetinterface 264.

Program monitoring circuitry 220 monitors the storage media 215 todetermine program flow status of the application circuitry 280. Wheninformation is stored in in the storage media 215 that indicates asoftware error associated with the application circuitry 280 or commonto several application groups has occurred, the program monitoringcircuitry 220 generates a warm reset signal that is provided to theapplication circuitry 280 by way of common warm reset interface 262.Program monitoring circuitry 220 includes monitoring modules forindividual application group software monitoring (e.g., group 0 softwaremonitoring circuitry 222, and group n software monitoring circuitry228). A module may be implemented using hardware components and/or aprocessor executing stored instructions for monitoring the content ofselected portions of storage media 215 and generating appropriate resetsignals in response.

For example, when the group software monitoring module 222 detects asoftware or program flow fault based on information stored in the group0 storage media (e.g., register), the module 222 generates a resetsignal that is provided to an application specific reset input forapplication group 0 via group 0 application specific interface 263. Whenthe group software monitoring module 228 detects a software or programflow fault based on information stored in the group n storage media(e.g., register), the module 228 generates a reset signal that isprovided to an application specific reset input for application group nvia group n application specific interface 264.

The program monitoring circuitry 220 maps different storage media to thedifferent application groups. In one example, the mapping operationperformed by program monitoring circuitry 220 may be adjustable so thatthe mapping of storage media to the various application groups may bechanged (e.g., by a safety system designer).

Group control circuitry 240 receives status signals from programmonitoring circuitry 220, hardware monitoring circuitry 230, individualgroup hardware monitoring modules 232, 238, and individual groupsoftware monitoring modules 222, 228. Based on these signals, the groupcontrol circuitry 240 provides individual (e.g., per application group)control signals and secondary safety path (SSP) activation signals. Inone example, SSP activation signals disconnect specific applicationsfrom loads/actuators thereby isolating an application that isexperiencing a fault condition from the system to avoid propagation offaults to other applications. The group control circuitry 240 may alsoprovide a common SSP activation signal that activates SSP for allapplication groups when a severe hardware fault or common software erroris detected.

State machine circuitry 250 provides state management and stateretention information for each application group and/or all applicationgroups as a whole for various hardware faults and software errors andcorresponding safety reactions and state transitions. The state machinecircuitry 250 allows the PMIC to reach specific states where SSPactivation signals, individual power supply rails, and alarms can betriggered according to specific configurations of the various faultconditions monitored by program monitoring circuitry 220 and hardwaremonitoring circuitry 230. For example, when a severe fault is detected,the system (e.g., the MCU 270 and components controlled by the MCU 270)may be moved into FAILSAFE or the system, or a subset, may bere-initialized.

The isolation of application groups provided by the control systems 100,200 provides the possible mapping of application function from a failedapplication group to another working application group. Faster recoveryfrom a hardware fault or software error is likely because only thosehardware components associated with the application group may be resetas compared to resetting the entire MCU. The described control systemsprovide individual activation of SSP signals to different applicationgroups, allowing unaffected groups to function normally. In addition tocontaining hardware components associated with different systemfunctions, the different application groups may contain sets ofredundant hardware that provide a fail-operational functionality byactivating a different application group when a first application groupfails.

FIG. 3 is a flow diagram outlining an exemplary method 300 for safetymanagement on a per-application group basis. The method includes, at310, monitoring a first application group of a microcontroller unit(MCU) to detect a first application group fault condition and, at 320,monitoring a second application group of the MCU to detect a secondapplication group fault condition. The first application group includesat least one hardware component not associated with the secondapplication group. Based on the monitoring, at 330, the method includesproviding a first reset signal to the first application group that doesnot reset the second application group or, at 340, providing a secondreset signal to the second application group that does not reset thefirst application group. In one example, depending on the monitoring,the method may include providing both the first and second reset signalto the first application group and second application group,respectively.

It can be seen from the foregoing description that the describedsystems, circuitries, and methods allow for safety management on aper-application group basis. This increases the level of end-systemavailability through power management measures and provides increasedgranularity in MCU monitoring and safe state activation elements, aswell as status retention of the safe state activation.

While the invention has been illustrated and described with respect toone or more implementations, alterations and/or modifications may bemade to the illustrated examples without departing from the spirit andscope of the appended claims. In particular regard to the variousfunctions performed by the above described components or structures(assemblies, devices, circuits, circuitries, systems, etc.), the terms(including a reference to a “means”) used to describe such componentsare intended to correspond, unless otherwise indicated, to any componentor structure which performs the specified function of the describedcomponent (e.g., that is functionally equivalent), even though notstructurally equivalent to the disclosed structure which performs thefunction in the herein illustrated exemplary implementations of theinvention.

Examples can include subject matter such as a method, means forperforming acts or blocks of the method, at least one machine-readablemedium including instructions that, when performed by a machine causethe machine to provide safety management on a per-application groupbasis according to embodiments and examples described herein.

Example 1 is a control system, including a microcontroller unit (MCU)including a first application group and a second application group,wherein the first application group includes at least one hardwarecomponent not associated with the second application group; and a powermanagement integrated circuit (PMIC), The PMIC includes monitoringcircuitry configured to monitor the first application group to detect afirst application group fault condition and monitor the secondapplication group to detect a second application group fault condition;and based on the monitoring, provide a first reset signal to the firstapplication group that does not reset the second application group orprovide a second reset signal to the second application group that doesnot reset the first application group.

Example 2 includes the subject matter of example 1, including oromitting optional elements, wherein the PMIC includes program monitoringcircuitry configured to monitor a program status of the firstapplication group and a program status of the second application group;and based on the program status monitoring, provide the first resetsignal, provide the second reset signal, or provide both the first resetsignal and the second reset signal.

Example 3 includes the subject matter of example 1, including oromitting optional elements, wherein the PMIC includes hardwaremonitoring circuitry configured to monitor a hardware status of thefirst application group and a hardware status of the second applicationgroup; and based on the hardware status monitoring, provide the firstreset signal, provide the second reset signal, provide both the firstreset signal and the second reset signal, or provide a cold reset signalto the MCU.

Example 4 includes the subject matter of example 1, including oromitting optional elements, further including a bus interface connectingthe MCU to the PMIC, wherein the MCU is configured to access resourceson the PMIC by way of the bus interface.

Example 5 includes the subject matter of example 1, including oromitting optional elements, wherein the PMIC includes first storagemedia allocated to the first application group and second storage mediaallocated to the second application group; the first application groupis configured to store information related to program status in thefirst storage media and the second application group is configured tostore information related to program status in the second storage media,the PMIC includes first group software monitoring circuitry configuredto monitor the first storage media to determine a first program statusof the first application group and second group software monitoringcircuitry configured to monitor the second storage media to determine asecond program status of the second application group; and wherein thePMIC provides the first reset signal, the second reset signal, or boththe first reset signal and the second reset signal based on the firstprogram status and the second program status.

Example 6 includes the subject matter of example 1, including oromitting optional elements, wherein the PMIC includes state machinecircuitry that provides, for each application group, state retentioninformation and state management information defining state transitionsin response to fault conditions; the first application group isconfigured to access the state machine circuitry and control operationof the first application group based on the state retention informationand state management information for the first application group; andthe second application group is configured to access the state machinecircuitry and control operation of the second application group based onthe state retention information and state management information for thesecond application group.

Example 7 includes the subject matter of example 1, including oromitting optional elements, wherein the PMIC further includes groupcontrol circuitry configured to provide first safe state control signalsto adjust operation of components in response to detecting a firstapplication group fault and second safe state control signals to adjustoperation of components in response to detecting a second applicationgroup fault.

Example 8 includes the subject matter of example 1, including oromitting optional elements, wherein the MCU further includes hardwarefault management circuitry configured to receive hardware alarm signalsindicative of hardware faults in the MCU; map the received hardwarealarm signals to the first application group, the second applicationgroup, or a common group shared by the first application group and thesecond application group; and based on the mapping, provide a hardwarestatus signal to the PMIC.

Example 9 includes the subject matter of example 1, including oromitting optional elements, wherein the at least one hardware componentnot associated with the second application group includes a processorcore, a power supply, or a clock.

Example 10 is a method, including monitoring a first application groupof a microcontroller unit (MCU) to detect a first application groupfault condition; monitoring a second application group of the MCU todetect a second application group fault condition, wherein the firstapplication group includes at least one hardware component notassociated with the second application group; and based on themonitoring, providing a first reset signal to the first applicationgroup that does not reset the second application group, or providing asecond reset signal to the second application group that does not resetthe first application group.

Example 11 includes the subject matter of example 10, including oromitting optional elements, including: monitoring a first program statusof the first application group; monitoring a second program status ofthe second application group; providing the first reset signal based onthe first program status; and providing the second reset signal based onthe second program status.

Example 12 includes the subject matter of example 11, including oromitting optional elements, including storing the first program statusof the first application group in a first storage media; storing thesecond program status of the second application group in a secondstorage media; monitoring the first storage media to determine the firstprogram status; and monitoring the second storage media to determine thesecond program status.

Example 13 includes the subject matter of example 12, including oromitting optional elements, wherein the first storage media and thesecond storage media are disposed in a power management integratedcircuit (PMIC) connected to the MCU by a bus.

Example 14 includes the subject matter of example 10, including oromitting optional elements, controlling operation of the firstapplication group based on state retention information and statemanagement information for the first application group; and controllingoperation of the second application group based on state retentioninformation and state management information for the second applicationgroup.

Example 15 includes the subject matter of example 10, including oromitting optional elements, including providing first safe state controlsignals to adjust operation of first components in response to detectinga first application group fault; and providing second safe state controlsignals to adjust operation of second components in response todetecting a second application group fault.

Example 16 includes the subject matter of example 10, including oromitting optional elements, including monitoring a hardware status ofthe first application group; monitoring a hardware status of the secondapplication group; providing the first reset signal based on thehardware status monitoring; and providing the second reset signal basedon the hardware status monitoring.

Example 16 includes the subject matter of example 10, including oromitting optional elements, including receiving hardware alarm signalsindicative of hardware faults in the MCU; mapping the received hardwarealarm signals to the first application group, the second applicationgroup, or a common group shared by the first application group and thesecond application group; and based on the mapping, providing the firstreset signal and the second reset signal.

Example 18 includes the subject matter of example 10, including oromitting optional elements, wherein the at least one hardware componentnot present in the second application group is a processor core, a powersupply, or a clock.

Example 19 is an interface, including a first application specificinterface configured to couple a first application specific reset inputof a first application group in a microcontroller unit (MCU) to a powermanagement integrated circuit (PMIC); and a second application specificinterface configured to couple a second application specific reset inputof a second application group in the MCU to the PMIC, wherein the firstapplication group includes at least one hardware component notassociated with the second application group.

Example 20 includes the subject matter of example 19, including oromitting optional elements, further including a common warm resetinterface configured to couple a common warm reset input of applicationcircuitry in the MCU to program monitoring circuitry in the PMIC.

Example 21 includes the subject matter of example 19, including oromitting optional elements, further including a cold reset interfaceconfigured to couple a cold reset input of the MCU to hardwaremonitoring circuitry in the PMIC.

The foregoing description of one or more implementations providesillustration and description, but is not intended to be exhaustive or tolimit the scope of the example embodiments to the precise formdisclosed. Modifications and variations are possible in light of theabove teachings or may be acquired from practice of variousimplementations of the example embodiments.

Various illustrative logics, logical blocks, modules, circuitries, andcircuits described in connection with aspects disclosed herein can beimplemented or performed with a general purpose processor, a digitalsignal processor (DSP), an application specific integrated circuit(ASIC), a field programmable gate array (FPGA) or other programmablelogic device, discrete gate or transistor logic, discrete hardwarecomponents, or any combination thereof designed to perform functionsdescribed herein. A general-purpose processor can be a microprocessor,but, in the alternative, processor can be any conventional processor,controller, microcontroller, or state machine.

The above description of illustrated embodiments of the subjectdisclosure, including what is described in the Abstract, is not intendedto be exhaustive or to limit the disclosed embodiments to the preciseforms disclosed. While specific embodiments and examples are describedherein for illustrative purposes, various modifications are possiblethat are considered within the scope of such embodiments and examples,as those skilled in the relevant art can recognize.

In this regard, while the disclosed subject matter has been described inconnection with various embodiments and corresponding Figures, whereapplicable, it is to be understood that other similar embodiments can beused or modifications and additions can be made to the describedembodiments for performing the same, similar, alternative, or substitutefunction of the disclosed subject matter without deviating therefrom.Therefore, the disclosed subject matter should not be limited to anysingle embodiment described herein, but rather should be construed inbreadth and scope in accordance with the appended claims below.

In the present disclosure like reference numerals are used to refer tolike elements throughout, and wherein the illustrated structures anddevices are not necessarily drawn to scale. As utilized herein, terms“module”, “component,” “system,” “circuit,” “circuitry,” “element,”“slice,” and the like are intended to refer to a computer-relatedentity, hardware, software (e.g., in execution), and/or firmware. Forexample, circuitry or a similar term can be a processor, a processrunning on a processor, a controller, an object, an executable program,a storage device, and/or a computer with a processing device. By way ofillustration, an application running on a server and the server can alsobe circuitry. One or more circuitries can reside within a process, andcircuitry can be localized on one computer and/or distributed betweentwo or more computers. A set of elements or a set of other circuitry canbe described herein, in which the term “set” can be interpreted as “oneor more.”

As another example, circuitry or similar term can be an apparatus withspecific functionality provided by mechanical parts operated by electricor electronic circuitry, in which the electric or electronic circuitrycan be operated by a software application or a firmware applicationexecuted by one or more processors. The one or more processors can beinternal or external to the apparatus and can execute at least a part ofthe software or firmware application. As yet another example, circuitrycan be an apparatus that provides specific functionality throughelectronic components without mechanical parts; the electroniccomponents can include field gates, logical components, hardware encodedlogic, register transfer logic, one or more processors therein toexecute software and/or firmware that confer(s), at least in part, thefunctionality of the electronic components.

It will be understood that when an element is referred to as being“electrically connected” or “electrically coupled” to another element,it can be physically connected or coupled to the other element such thatcurrent and/or electromagnetic radiation can flow along a conductivepath formed by the elements. Intervening conductive, inductive, orcapacitive elements may be present between the element and the otherelement when the elements are described as being electrically coupled orconnected to one another. Further, when electrically coupled orconnected to one another, one element may be capable of inducing avoltage or current flow or propagation of an electro-magnetic wave inthe other element without physical contact or intervening components.Further, when a voltage, current, or signal is referred to as being“applied” to an element, the voltage, current, or signal may beconducted to the element by way of a physical connection or by way ofcapacitive, electro-magnetic, or inductive coupling that does notinvolve a physical connection.

Use of the word exemplary is intended to present concepts in a concretefashion. The terminology used herein is for the purpose of describingparticular examples only and is not intended to be limiting of examples.As used herein, the singular forms “a,” “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises,”“comprising,” “includes” and/or “including,” when used herein, specifythe presence of stated features, integers, steps, operations, elementsand/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components and/or groups thereof. As used herein the term “or” includesthe option of all elements related by the word or. For example A or B isto be construed as include only A, only B, and both A and B. Further thephrase “one or more of” followed by A, B, or C is to be construed asincluding A, B, C, AB, AC, BC, and ABC

What is claimed is:
 1. A control system, comprising: a microcontrollerunit (MCU) comprising a first application group and a second applicationgroup, wherein the first application group comprises at least onehardware component not associated with the second application group; anda power management integrated circuit (PMIC) comprising monitoringcircuitry configured to monitor the first application group to detect afirst application group fault condition and monitor the secondapplication group to detect a second application group fault condition;and based on the monitoring, provide a first reset signal to the firstapplication group that does not reset the second application group orprovide a second reset signal to the second application group that doesnot reset the first application group.
 2. The control system of claim 1wherein the PMIC comprises program monitoring circuitry configured to:monitor a program status of the first application group and a programstatus of the second application group; and based on the program statusmonitoring, provide the first reset signal, provide the second resetsignal, or provide both the first reset signal and the second resetsignal.
 3. The control system of claim 1, wherein the PMIC compriseshardware monitoring circuitry configured to: monitor a hardware statusof the first application group and a hardware status of the secondapplication group; and based on the hardware status monitoring, providethe first reset signal, provide the second reset signal, provide boththe first reset signal and the second reset signal, or provide a coldreset signal to the MCU.
 4. The control system of claim 1, furthercomprising a bus interface connecting the MCU to the PMIC, wherein theMCU is configured to access resources on the PMIC by way of the businterface.
 5. The control system of claim 1, wherein: the PMIC comprisesfirst storage media allocated to the first application group and secondstorage media allocated to the second application group; the firstapplication group is configured to store information related to programstatus in the first storage media and the second application group isconfigured to store information related to program status in the secondstorage media, the PMIC comprises first group software monitoringcircuitry configured to monitor the first storage media to determine afirst program status of the first application group and second groupsoftware monitoring circuitry configured to monitor the second storagemedia to determine a second program status of the second applicationgroup; and wherein the PMIC provides the first reset signal, the secondreset signal, or both the first reset signal and the second reset signalbased on the first program status and the second program status.
 6. Thecontrol system of claim 1, wherein: the PMIC comprises state machinecircuitry that provides, for each application group, state retentioninformation and state management information defining state transitionsin response to fault conditions; the first application group isconfigured to access the state machine circuitry and control operationof the first application group based on the state retention informationand state management information for the first application group; andthe second application group is configured to access the state machinecircuitry and control operation of the second application group based onthe state retention information and state management information for thesecond application group.
 7. The control system of claim 1, wherein thePMIC further comprises group control circuitry configured to providefirst safe state control signals to adjust operation of components inresponse to detecting a first application group fault and second safestate control signals to adjust operation of components in response todetecting a second application group fault.
 8. The control system ofclaim 1, wherein the MCU further comprises hardware fault managementcircuitry configured to: receive hardware alarm signals indicative ofhardware faults in the MCU; map the received hardware alarm signals tothe first application group, the second application group, or a commongroup shared by the first application group and the second applicationgroup; and based on the mapping, provide a hardware status signal to thePMIC.
 9. The control system of claim 1, wherein the at least onehardware component not associated with the second application groupcomprises a processor core, a power supply, or a clock.
 10. A method,comprising: monitoring a first application group of a microcontrollerunit (MCU) to detect a first application group fault condition;monitoring a second application group of the MCU to detect a secondapplication group fault condition, wherein the first application groupcomprises at least one hardware component not associated with the secondapplication group; and based on the monitoring, providing a first resetsignal to the first application group that does not reset the secondapplication group, or providing a second reset signal to the secondapplication group that does not reset the first application group. 11.The method of claim 10, comprising: monitoring a first program status ofthe first application group; monitoring a second program status of thesecond application group; providing the first reset signal based on thefirst program status; and providing the second reset signal based on thesecond program status.
 12. The method of claim 11, comprising: storingthe first program status of the first application group in a firststorage media; storing the second program status of the secondapplication group in a second storage media; monitoring the firststorage media to determine the first program status; and monitoring thesecond storage media to determine the second program status.
 13. Themethod of claim 12, wherein the first storage media and the secondstorage media are disposed in a power management integrated circuit(PMIC) connected to the MCU by a bus.
 14. The method of claim 10,comprising: controlling operation of the first application group basedon state retention information and state management information for thefirst application group; and controlling operation of the secondapplication group based on state retention information and statemanagement information for the second application group.
 15. The methodof claim 10, comprising: providing first safe state control signals toadjust operation of first components in response to detecting a firstapplication group fault; and providing second safe state control signalsto adjust operation of second components in response to detecting asecond application group fault.
 16. The method of claim 10, comprising:monitoring a hardware status of the first application group; monitoringa hardware status of the second application group; providing the firstreset signal based on the hardware status monitoring; and providing thesecond reset signal based on the hardware status monitoring.
 17. Themethod of claim 16, comprising: receiving hardware alarm signalsindicative of hardware faults in the MCU; mapping the received hardwarealarm signals to the first application group, the second applicationgroup, or a common group shared by the first application group and thesecond application group; and based on the mapping, providing the firstreset signal and the second reset signal.
 18. The method of claim 10,wherein the at least one hardware component not present in the secondapplication group is a processor core, a power supply, or a clock. 19.An interface, comprising: a first application specific interfaceconfigured to couple a first application specific reset input of a firstapplication group in a microcontroller unit (MCU) to a power managementintegrated circuit (PMIC); and a second application specific interfaceconfigured to couple a second application specific reset input of asecond application group in the MCU to the PMIC, wherein the firstapplication group comprises at least one hardware component notassociated with the second application group.
 20. The interface of claim19, further comprising: a common warm reset interface configured tocouple a common warm reset input of application circuitry in the MCU toprogram monitoring circuitry in the PMIC.
 21. The interface of claim 19,further comprising: a cold reset interface configured to couple a coldreset input of the MCU to hardware monitoring circuitry in the PMIC.